OpenClaw 2026.4.1 stable dropped this week, and the headline isn't the shiny new /tasks chat board or the bundled SearXNG integration โ it's CVE-2026-33577, a CVSS 9.8 privilege-escalation flaw in node pairing approval that affects every release before 2026.3.28. Censys' March 31 scan confirmed roughly 63,000 publicly reachable OpenClaw instances, and the patch matters for every one of them. If you're running multi-node clustering and you haven't updated yet, stop reading features and skip to the security section.
For everyone else, this release is genuinely interesting: a chat-native task board, zero-config web search, Amazon Bedrock Guardrails for enterprise safety, and macOS Voice Wake that finally makes hands-free agent automation practical.
TL;DR: OpenClaw now has a built-in task board you manage entirely through chat commands โ no separate project tool needed.
The new /tasks system turns the OpenClaw chat surface into a lightweight project board. Instead of context-switching to Trello, Linear, or a Notion kanban, you manage tasks where you already work โ inside the agent conversation.
The tasks chat board supports standard operations through slash commands:
/tasks add "Refactor auth middleware" --priority high --assignee @agent-3/tasks list --status in_progress/tasks done 42 (marks task #42 complete)/tasks board (renders a visual kanban in the chat window)Tasks persist across sessions and sync between nodes in a multi-node cluster. Each task carries metadata โ priority, assignee (human or agent), status, creation timestamp, and a thread link back to the conversation where it originated.
If you're running agent automation workflows, the tasks board becomes the coordination layer between agents. One agent identifies a bug and creates a task; another picks it up and opens a PR. The whole lifecycle stays inside OpenClaw, and it pairs naturally with the new Feishu Drive integration and MiniMax plugin for teams already using those ecosystems.
To enable the task board, add the following to your config.yaml:
plugins:
tasks:
enabled: true
default_board: "main"
sync_interval: 30s
max_tasks_per_board: 500TL;DR: OpenClaw now ships SearXNG built-in, giving agents zero-config private web search with no third-party API keys.
Previously, giving your OpenClaw agents web search meant configuring external APIs โ Bing, Google, or self-hosting SearXNG separately. The 2026.4.1 release bundles SearXNG directly into the OpenClaw container.
search:
engine: searxng-bundled
max_results: 10
safe_search: 1
engines:
- google
- duckduckgo
- braveNo API keys, no extra container. The bundled instance runs on an internal port and is only accessible to your OpenClaw agents โ not exposed publicly by default. Because SearXNG is a metasearch engine that doesn't track queries, agents' search activity stays private, which is a meaningful upgrade over commercial APIs that log every call.
TL;DR: Enterprise teams can now enforce content safety and topic restrictions through Amazon Bedrock Guardrails natively in OpenClaw.
The new integration lets you define safety policies that filter both inputs and outputs through AWS's guardrail system โ the first enterprise-grade content safety layer built directly into OpenClaw.
| Feature | Before 2026.4.1 | After 2026.4.1 |
|---|---|---|
| Content filtering | Manual prompt rules | Bedrock Guardrails policy engine |
| Topic blocking | Not supported | Configurable denied topics |
| PII detection | Third-party plugins | Native Bedrock PII filters |
| Audit logging | Basic chat logs | Guardrail trace IDs per message |
guardrails:
provider: amazon-bedrock
guardrail_id: "YOUR_GUARDRAIL_ID"
guardrail_version: "DRAFT"
region: "us-east-1"
# Credentials via standard AWS credential chainTL;DR: Say "Hey Claw" to activate your local OpenClaw agent hands-free on macOS โ no keyboard required.
Voice Wake uses on-device wake-word detection (via Porcupine or OpenWakeWord) to listen for a configurable trigger phrase. Once it fires, OpenClaw opens and begins transcribing your voice input as a prompt โ locally with Whisper, or via a cloud STT provider like Deepgram if you want lower latency.
voice_wake:
enabled: true
wake_word: "hey claw"
detector: porcupine # or openwakeword
stt: whisper-local # or whisper-api / deepgram
sensitivity: 0.7
auto_submit: falseWake-word detection runs locally โ no audio leaves the machine until you've actually triggered the session and chosen a cloud STT path. Set auto_submit: true for a fully hands-free workflow, or leave it false to review the transcription before sending.
TL;DR: A privilege-escalation flaw in node pairing approval lets a low-privilege operator approve nodes with broader scopes than they hold โ patch to 2026.3.28+ immediately.
This is the section that matters most. CVE-2026-33577 (CVSS 9.8) is a critical insufficient-authorization bug (CWE-863) in node-pairing.ts. The pairing approval path failed to validate callerScopes against the scope being granted, so an authenticated user with limited privileges could approve a pairing request that granted the new node a broader scope than the approver themselves held.
Any OpenClaw instance running before 2026.3.28 with multi-node clustering enabled. Single-node instances with pairing disabled aren't directly vulnerable, but the pairing endpoint may still be reachable if you haven't explicitly firewalled it.
openclaw nodes list --verbose and verify every node and its scope.openclaw nodes revoke <node-id>.openclaw cluster rotate-keys.With ~63K publicly reachable instances per Censys' late-March scan, OpenClaw security is a community responsibility. Run this checklist on every instance:
pairing.auto_approve: false)# Recommended security block for config.yaml
security:
pairing:
auto_approve: false
require_otp: true
max_pending_requests: 3
enforce_caller_scopes: true
rate_limiting:
enabled: true
requests_per_minute: 60
pairing_requests_per_hour: 5
tls:
enforce: true
min_version: "1.3"Single-node instances with pairing explicitly disabled aren't directly vulnerable to the privilege escalation. The pairing endpoint may still be reachable if it isn't firewalled, so updating to 2026.4.1 and blocking the endpoint is recommended as defense-in-depth.
Yes. The tasks chat board is designed to work alongside existing plugins. Tasks created through /tasks add can reference Feishu Drive documents by URL, and MiniMax agents can be assigned as task owners.
The bundled instance is lightweight โ roughly 100โ200 MB of RAM at idle, scaling with query volume. It only starts when the first search query is issued, not at boot. Resource-constrained deployments can disable it and continue using external APIs.
Wake-word detection runs locally via Porcupine or OpenWakeWord โ audio stays on the machine until the wake word fires. You can toggle it off via the menu-bar icon or schedule active listening hours in config.
Run openclaw nodes list --verbose and audit every paired node, paying close attention to any node whose granted scope exceeds the approving operator's scope. Revoke anything suspicious with openclaw nodes revoke <node-id>, then rotate cluster keys with openclaw cluster rotate-keys.
The 2026.4.1 release marks a turning point for OpenClaw โ moving from a powerful but loosely secured agent platform toward something enterprises can deploy with more confidence. The Bedrock Guardrails integration signals where the project is heading: production-grade safety and compliance tooling built into the core.
If your team is deploying OpenClaw at scale and needs help with security hardening, node architecture, or integrating agent automation into existing enterprise workflows, Elegant Software Solutions works with mid-market teams to build secure, production-ready AI infrastructure. Schedule a consultation to discuss your OpenClaw deployment strategy.
Discover more content: